b"DEPARTMENT OF HOMELAND SECURITY\n       Office of Inspector General\n\n        Technical Security Evaluation of \n\n       U.S. Customs and Border Protection \n\n                 Activities at the \n\n         Chet Holifield Federal Building\n\n                   (Redacted)\n\n\n\n\n\n  Notice: The Department of Homeland Security, Office of Inspector General, has redacted\n  this report for public release. A review under the Freedom of Information Act will be\n  conducted upon request.\n\n\n\n\nOIG-08-37                                                                     April 2008\n\x0c                                                         Office of Inspector General\n\n                                                         U.S. Department of Homeland Security\n                                                         Washington, DC 20528\n\n\n\n\n                                      April 8, 2008\n\n\n                                     Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nOur report addresses the strengths and weaknesses of the implementation of technical and\ninformation security policies and procedures at U.S. Customs and Border Protection\nlocations at the Chet Holifield Federal Building, Laguna Niguel, California. It is based\non interviews with employees and officials of relevant agencies and institutions, direct\nobservations, and reviews of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. It is\nour hope that this report will result in more effective, efficient, and economical\noperations. We express our appreciation to all of those who contributed to the\npreparation of this report.\n\n\n\n\n                                     Richard L. Skinner \n\n                                     Inspector General \n\n\n\n\n\n.\n\x0cTable of Contents/Abbreviations \n\n\n\nExecutive Summary ............................................................................................................ 1 \n\n\nBackground ......................................................................................................................... 2 \n\n\nResults of Review ............................................................................................................... 4\n\n\n\n      Systems Did Not Comply Fully With DHS Operational Control Requirements ........ 4 \n\n      Recommendations ....................................................................................................... 7 \n\n      Management Comments and OIG Analysis................................................................ 8 \n\n\n      Systems Did Not Comply Fully With DHS Technical Control Requirements ........... 9 \n\n      Recommendations ................................................................................................ .... 11 \n\n      Management Comments and OIG Analysis.............................................................. 11 \n\n\n      Systems Did Not Comply Fully With DHS Management Control Requirements .... 12 \n\n      Recommendations ..................................................................................................... 17 \n\n      Management Comments and OIG Analysis.............................................................. 17 \n\n\nAppendices\nAppendix A:          Purpose, Scope, and Methodology............................................................. 20 \n\nAppendix B:          Management Comments to Draft Report ................................................... 22 \n\nAppendix C:          Major Contributors to This Report............................................................. 26 \n\nAppendix D:          Report Distribution..................................................................................... 27 \n\n\nAbbreviations\n     CBP                                    U.S. Customs and Border Protection       \n\n     CHFB                                   Chet Holifield Federal Building    \n\n     CIO                                    Chief Information Officer \n\n     CISO                                   Chief Information Security Officer     \n\n     DAA                                    Designated Accrediting Authority     \n\n     DHS                                    Department of Homeland Security       \n\n     DHS Directive 4300A                    DHS Sensitive Systems Policy Directive 4300A \n\n     DHS 4300A Handbook                     DHS 4300A Sensitive Systems Handbook \n\n     FISMA                                  Federal Information Security Management Act    \n\n     HVAC                                   Heating, Ventilation, and Air Conditioning   \n\n     ICE                                    Immigration and Customs Enforcement        \n\n     ISA                                    Interconnection Security Agreement       \n\n     IT                                     Information Technology      \n\n     LAN                                    Local Area Network \n\n     OIG                                    Office of Inspector General    \n\n\n\n.\n\x0cTable of Contents/Abbreviations \n\n\n\n    PIA         Privacy Impact Assessment\n    PII         Personally Identifiable Information\n    PTA         Privacy Threshold Analysis\n    SORN        System of Records Notice\n    SSH         Secure Shell\n    TA-FISMA    Trusted Agent FISMA\n    USCIS       United States Citizenship and Immigration Services\n\n\n\n\n.\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\n\nExecutive Summary\n                     We initiated a program to determine the extent to which critical\n                     Department of Homeland Security sites comply with the\n                     department\xe2\x80\x99s technical and information security policies and\n                     procedures. Based on our internal analysis, we selected the Chet\n                     Holifield Federal Building located in Laguna Niguel, California\n                     where the U.S. Customs and Border Protection\xe2\x80\x99s Southern\n                     California field support and Human Resources Management staffs\n                     are located.\n\n                     Our evaluation focused on how Customs and Border Protection has\n                     implemented computer security operational, technical, and\n                     management controls for its information technology resources at\n                     this site. We performed onsite inspections of the areas where these\n                     resources were located, interviewed departmental staff, and\n                     conducted technical tests of internal controls, e.g., scans for\n                     wireless networks. We also reviewed applicable departmental\n                     policies, procedures, and other appropriate documentation.\n\n                     The information technology security controls implemented at this\n                     site have deficiencies that, if exploited, could result in the loss of\n                     confidentiality, integrity, and availability of information\n                     technology systems. Specifically, Customs and Border Protection\n                     needs to improve its environmental, business continuity, and\n                     physical security controls for its computer room and\n                     telecommunications closets. Customs and Border Protection could\n                     also improve its technical controls at this site\n\n                     Additionally, management controls could be improved at this site\n                     by implementing effective capital planning and investment control\n                     procedures and by completing all required system accreditation\n                     activities.\n\n\n\n\n       Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                             the Chet Holifield Federal Building\n\n                                            Page 1\n\x0cBackground\n                   We designed our Technical Security Evaluation Program to\n                   provide senior Department of Homeland Security (DHS) officials\n                   with timely information on whether they had properly\n                   implemented DHS information technology (IT) security policies at\n                   critical sites. Our program is based on DHS Sensitive Systems\n                   Policy Directive 4300A (DHS Directive 4300A), which applies to\n                   all DHS components and provides direction to managers and\n                   senior executives regarding the management and protection of\n                   sensitive systems. DHS Directive 4300A also outlines policies\n                   relating to the operational, technical, and management controls that\n                   are necessary for ensuring confidentiality, integrity, availability,\n                   authenticity, and non-repudiation within the DHS IT infrastructure\n                   and operations. A companion document\xe2\x80\x94the DHS 4300A\n                   Sensitive Systems Handbook (DHS 4300A Handbook) \xe2\x80\x94provides\n                   detailed guidance on the implementation of these policies and\n                   DHS IT security policies are organized under operational,\n                   technical, and management controls as follows:\n\n                           \xe2\x80\xa2\t Operational Controls \xe2\x80\x93 Focus on mechanisms\n                              primarily implemented and executed by people. These\n                              controls are designed to improve the security of a\n                              particular system, or group of systems. These controls\n                              require technical or specialized expertise and often rely\n                              on management and technical controls.\n\n                                                       **********\n\n                           \xe2\x80\xa2\t Technical Controls \xe2\x80\x93 Focus on security controls\n                              executed by IT systems. These controls provide\n                              automated protection from unauthorized access or\n                              misuse. They facilitate detection of security violations,\n                              and support security requirements for applications and\n                              data.\n\n                                                       **********\n\n                           \xe2\x80\xa2\t Management Controls \xe2\x80\x93 Focus on managing both the\n                              IT security system and system risk. These controls\n                              consist of risk mitigation techniques and concerns\n                              normally addressed by management.\n\n\n\n\n     Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                           the Chet Holifield Federal Building\n\n                                          Page 2\n\x0c              Based on our internal analysis, we selected the Chet Holifield\n              Federal Building (CHFB) located in Laguna Niguel, California,\n              where U.S. Customs and Border Protection\xe2\x80\x99s (CBP) Southern\n              California field support and Human Resources Management staffs\n              are located. The United States Citizenship and Immigration\n              Services (USCIS) and United States Immigration and Customs\n              Enforcement (ICE) also operated in this facility, and their activities\n              will be addressed in separate evaluation reports.\n\n              CBP operates a server/telecommunications room at CHFB and\n              relies on telecommunications lines concentrated in two additional\n              telecommunications closets that are shared with ICE.\n              Additionally, CBP relies on servers and routers operated by ICE in\n              a separate server/telecommunications room. Operational and\n              technical control weaknesses associated with these servers and\n              routers operated by ICE, but used by CBP, will be reported\n              separately in the ICE specific evaluation report.\n\n\n\n\nTechnical Security Evaluation of U.S. Customs and Border Protection Activities at\n                      the Chet Holifield Federal Building\n\n                                     Page 3\n\x0cResults of Review\n\n     Systems Did Not Comply Fully With DHS Operational\n     Control Requirements\n                     Some operational controls that CBP implemented at CHFB did not\n                     always conform to DHS policies; these included environmental,\n                     business continuity, and physical security controls. The\n                     environmental and business continuity deficiencies are particularly\n                     significant and place CBP at risk of being unable to access IT\n                     assets and data at this site when necessary. Collectively, these\n                     deficiencies could place at risk the confidentiality, integrity, and\n                     availability of the data stored, transmitted, and processed by CBP\n                     at CHFB.\n\n                     Environmental Controls\n\n                     The air conditioning unit in the CBP server/telecommunications\n                     room may be inadequate. While the air conditioning unit was set\n                     to cool the room to 67 degrees, the room temperature was\n                     71 degrees during our visit in February 2007. See Figure 1 below.\n\n\n\n\n                                Figure 1: Air Conditioner Temperature Display\n\n\n\n\n       Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                             the Chet Holifield Federal Building\n\n                                            Page 4\n\x0c              According to the DHS 4300A Handbook:\n\n                      Temperatures in computer storage areas should be held\n                      between 60 and 70 degrees Fahrenheit.\n\n              The absence of adequate heating, ventilation, and air\n              conditioning (HVAC) capabilities for IT equipment increases the\n              risk that CBP\xe2\x80\x99s IT assets may malfunction.\n\n              Following discussions, CBP staff informed us that this HVAC unit\n              was a temporary solution. Further, the Information Systems\n              Security Officer for the Far West Field Local Area Network (LAN)\n              requested that CBP perform a risk assessment at the CHFB. One\n              of the results of the risk assessment will be the identification of the\n              proper HVAC capabilities necessary for the CBP IT resources at\n              CHFB.\n\n              Business Continuity\n\n              CBP\xe2\x80\x99s business continuity capability needs to be strengthened at\n              CHFB. Although CBP had an uninterruptible power supply for the\n              CBP IT assets in the server room, officials reported that the\n              capacity of the device is minimal and will only allow the server to\n              power-off. CBP does not have a backup electrical generator to\n              support the server room. Furthermore, CBP\xe2\x80\x99s electronic\n              equipment may be at risk of damage or malfunction due to the lack\n              of an emergency shut-off switch. Without an emergency shut-off\n              switch, the IT resources that are still receiving power when the\n              sprinklers are activated are at increased risk of a short circuit\n              during a fire.\n\n              According to the DHS 4300A Handbook:\n\n                      DHS must have the capability to ensure continuity of\n                      essential functions under all circumstances.\n\n              Physical Security Controls\n\n              The CBP server room has several boxes stored around the air\n              conditioning unit. See Figure 2 below. This increases the risk that\n              CBP\xe2\x80\x99s IT assets may inadvertently lose power or be accidentally\n              damaged. CBP could also better protect its IT assets from damage\n\n\n\n\nTechnical Security Evaluation of U.S. Customs and Border Protection Activities at\n                      the Chet Holifield Federal Building\n\n                                     Page 5\n\x0c              by ensuring that the immediate areas in the server room are not\n              used for general storage.\n\n\n\n\n                  Figure 2: Air Conditioner and Storage in CBP Server Room\n\n              According to the DHS 4300A Handbook:\n\n                      Controls for deterring, detecting, restricting, and\n                      regulating access to sensitive areas shall be in place and\n                      will be sufficient to safeguard against possible loss, theft,\n                      destruction, damage, hazardous conditions, fire, malicious\n                      actions, and natural disasters.\n\n              CBP staff informed us that this storage was a temporary\n              arrangement and they have removed these boxes from their server\n              room.\n\n              CBP is also not in compliance with its own security guidelines for\n              IT resources. Specifically, in a room shared with ICE, there is a\n              CBP server stored in a locked cabinet and CBP\n              telecommunications assets sharing one of two telecommunications\n              racks with ICE equipment. See Figures 3 and 4 below.\n              Additionally, during our onsite visit, CBP officials had difficulty\n              gaining access to a second room containing CBP\n              telecommunication assets. CBP staff had to contact ICE for entry\n              to this room.\n\n\n\n\nTechnical Security Evaluation of U.S. Customs and Border Protection Activities at\n                      the Chet Holifield Federal Building\n\n                                     Page 6\n\x0c               Figure 3: Shared                   Figure 4: CBP-Operated Server\n               Telecommunications Rack\n\n               According to CBP\xe2\x80\x99s Information Systems Security Policies and\n               Procedures Handbook, CIS HB 1400-05C, Section 5.3.1:\n\n                       Rooms containing information systems hardware and\n                       software, such as Local Area Network (LAN) rooms or\n                       telephone closets, must be secured and accessible by\n                       authorized CBP personnel only.\n\n               During discussions, staff from the office of the DHS Chief\n               Information Security Officer (CISO) suggested that CBP review\n               their security guidelines. CBP is now in the process of reviewing\n               and updating their security policies to allow sharing facilities with\n               authorized DHS components.\n\nRecommendations:\n               We recommend that the CBP Chief Information Officer (CIO) take\n               the following actions for CBP activities at CHFB:\n\n               Recommendation #1: Implement stronger physical security and\n               environmental controls to protect CBP\xe2\x80\x99s IT assets from possible\n               destruction, accidental damage, hazardous conditions, fire,\n               malicious actions, and natural disasters.\n\n               Recommendation #2: Implement business continuity of\n               operations capability for CBP facilities at CHFB,\n\n\n\n\n Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                       the Chet Holifield Federal Building\n\n                                      Page 7\n\x0cManagement Comments and OIG Analysis\n               We obtained written comments on a draft of this report from the\n               CBP Office of Policy and Planning. We have included a copy of\n               the comments in their entirety at Appendix B.\n\n               In the comments, CBP concurred with findings and\n               recommendations one and two in our report. Specifically, CBP has\n               updated policy and taken several steps towards improving physical\n               and environmental security of IT at CHFB. Recommendation one\n               will be considered resolved but open pending verification of all\n               planned actions.\n\n               As stated above, CBP has concurred with recommendation two. In\n               its comments, CBP stated that the IT contingency plan has been\n               provided for updating the CHFB Continuity of Operations Plan.\n               CBP is also working to provide an emergency backup electrical\n               generator and an emergency shut-off switch to support its server\n               room.\n                              Therefore, recommendation two will be considered\n               resolved but open pending verification of all planned actions.\n\n\n\n\n Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                       the Chet Holifield Federal Building\n\n                                      Page 8\n\x0c        Systems Did Not Comply Fully With DHS Technical\n        Control Requirements\n                          CBP\xe2\x80\x99s implementation of technical controls did not conform to\n                          DHS policies involving configuration management of CBP\xe2\x80\x99s\n                          server and router. These deficiencies increase the risk that CBP IT\n                          systems used at CHFB are vulnerable to internal attacks.\n\n                          Server Configuration Management\n\n                          CBP\xe2\x80\x99s server was not properly configured to prevent an \xe2\x80\x9cinsider\xe2\x80\x9d\n                          from gaining unauthorized privileges and information. 1 For\n                          example, the following services with known vulnerabilities were\n                          enabled or provided unnecessary information to anonymous\n                          requests:\n\n                              \xe2\x80\xa2\t Blah11 (1042/tcp) \xe2\x80\x93 Our scan reported that Blah11 was\n                                 implemented. This scan report needs to be investigated\n                                 further to determine whether it was an incorrect report or if\n                                 a known Trojan horse is operating on this host. 2\n\n\n\n\n1\n  According to the National Institute of Standards and Technology\xe2\x80\x99s Threat Assessment of Malicious Code\n\nand Human Threats (NISTIR 4939), \xe2\x80\x9cInsiders are legitimate users of a system. When they use that access\n\nto circumvent security, that is known as an insider attack.\xe2\x80\x9d\n\n2\n  According to the DHS 4300 Handbook: \n\n\n        A Trojan horse is a computer program that is apparently or actually useful but performs another\n        function. A Trojan horse generally provides remote control access to an unauthorized person. A\n        Trojan horse can be used to modify databases, write checks, send e-mail, or destroy files. It could\n        be imbedded by a programmer or downloaded from the Internet.\n\n\n\n            Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                                  the Chet Holifield Federal Building\n\n                                                 Page 9\n\x0c              According to DHS Directive 4300A:\n\n                      Components shall manage systems to reduce vulnerabilities\n                      through vulnerability testing, promptly installing patches,\n                      and eliminating or disabling unnecessary services, if\n                      possible.\n\n              Following presentation of these scans, CBP performed further\n              research and determined that Blah11 was falsely reported, as it was\n              not installed on their system. Further, CBP is evaluating the need\n              for port 1042/tcp.\n\n              Router Configuration Management Controls\n\n              CBP\xe2\x80\x99s router at CHFB was not properly configured to prevent an\n              \xe2\x80\x9cinsider\xe2\x80\x9d from gaining unauthorized privileges and information\n\n\n\n\n              As a result of our scans, CBP officials began to reevaluate their\n              policy for internal routers and their associated open/unfiltered\n              ports. CBP is currently evaluating an updated security profile for\n              several of the ports and accessible services.\n\n\n                                                                 This may allow\n              an attacker to capture login credentials and remotely take control\n              of the router and change or delete configuration files.\n\n              According to DHS Directive 4300A:\n\n                      A connection protocol such as Secure Shell (SSH) that\n                      employs secure authentication (two factor, encrypted, key\n\n\n\nTechnical Security Evaluation of U.S. Customs and Border Protection Activities at\n                      the Chet Holifield Federal Building\n\n                                    Page 10\n\x0c                       exchange, etc.) and is approved by the Component shall be\n                       used instead.\n\n               CBP has informed us that        will be disabled and SSH will be\n               implemented after the entire CBP component is migrated to the\n               DHS OneNet. The date for this is November 2, 2007.\n\nRecommendations:\n               We recommend that the CBP CIO take the following actions for\n               CBP activities at CHFB:\n\n               Recommendation #3: Use a connection protocol that employs\n               secure authentication.\n\n               Recommendation #4: Eliminate or disable unnecessary services\n               from the server and router.\n\nManagement Comments and OIG Analysis\n\n               In the comments, CBP concurred with these two recommendations\n               and also reported steps that it plans to take to resolve these issues.\n               These recommendations will be considered resolved but open\n               pending verification of reported actions.\n\n\n\n\n Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                       the Chet Holifield Federal Building\n\n                                     Page 11\n\x0c        Systems Did Not Comply Fully With DHS Management\n        Control Requirements\n                         CBP\xe2\x80\x99s implementation of management controls at CHFB did not\n                         conform to DHS policies. Specifically, there are deficiencies in\n                         capital planning and investment controls, system accreditation,\n                         establishment of interconnection security agreements (ISA), and\n                         privacy compliance activities related to personal information 3\n                         These management control deficiencies increase the risk to CBP\xe2\x80\x99s\n                         IT investments, systems, and data from new threats and\n                         vulnerabilities for which safeguards have not been implemented.\n\n                         Capital Planning and Investment Control\n\n                         CBP did not adequately consider shared infrastructure when it\n                         installed a new server room and telecommunications lines at\n                         CHFB. 4 Specifically, CBP did not perform a formal analysis of\n                         the benefits of using the DHS operated, shared server room in\n                         CHFB Use of this shared infrastructure would also support the\n                         department\xe2\x80\x99s commitment to functional integration. CBP cannot\n                         be certain that the approach it has adopted is the most cost\n                         effective solution.\n\n                         According to DHS Management Directive 0007.1, Information\n                         Technology Integration And Management:\n\n                                  Functional integration: Is a transformation process that\n                                  enhances efficient and effective use of resources by\n                                  establishing unified policies and business processes, the\n                                  use of shared or centralized services and standards and\n                                  automated solutions. Functional integration is a structured\n                                  cooperation and collaboration among DHS Components\n                                  and LOB [Line of Business] chiefs for the purpose of\n                                  achieving functional excellence in support of Departmental\n                                  mission and objectives. This is accomplished by\n                                  decreasing fragmentation and duplication, providing\n\n\n3\n Laws that govern DHS' use of personal information include the Homeland Security Act\nof 2002, \xc2\xa7 222, 6 U.S.C. \xc2\xa7 142; the Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a; and the E-\nGovernment Act of 2002, \xc2\xa7 208, 44 U.S.C. \xc2\xa7 3501 note.\n4\n This new server room was established to support CBP employees that were to be transferred from ICE\ndue to a DHS re-organization.\n\n\n\n           Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                                 the Chet Holifield Federal Building\n\n                                               Page 12\n\x0c                                   enhanced integrated services and increasing efficiency and\n                                   quality of management lines of business.\n\n                          CBP did not originally connect their new server equipment to the\n                          shared DHS OneNet infrastructure as required by the\n                          October 19, 2006, memorandum from the DHS Deputy Secretary.5\n                          However, during the course of our audit fieldwork, CBP connected\n                          this server to the DHS OneNet and has issued disconnect orders for\n                          the unnecessary high-speed telecommunications lines that the\n                          DHS OneNet replaces.\n\n\n\n\n5\n  In the Memorandum of October 19, 2006, Integration of Component Infrastructures Into the\nInfrastructure Transformation Program (ITP), the Deputy Secretary directed the department\xe2\x80\x99s components\nto integrate their infrastructure requirements into the department\xe2\x80\x99s Infrastructure Transformation Program,\nwhich includes the DHS OneNet.\n\n\n\n\n            Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                                  the Chet Holifield Federal Building\n\n                                                 Page 13\n\x0c                           System Accreditation\n\n                           CBP staff at CHFB is currently using three systems. However,\n                           only two of the three (66%) are currently authorized to operate.\n                           Specifically, CBP has not included one of the systems in the\n                           department\xe2\x80\x99s system inventory, Trusted Agent\n                           FISMA (TA-FISMA), and has not started risk assessment and\n                           accreditation process for this system. 6 See Figure 5 below.\n\n                           System Name            TA-FISMA                Risk            Accreditation\n                                                   Identifier          Assessment            Status\n                                                                         Status\n                          DHS OneNet             CBP-00044-            Completed          Authorized to\n                                                 GSS-00044                                  Operate\n                          (CBP Steward)\n\n\n                          Far West Field         CBP-00029-            Completed          Authorized to\n                          LAN                    GSS-00029                                  Operate\n\n                          The Human              No Identifier          No Status            No Status\n                          Resources File\n                          Manager\n                          System\n                          (RECFIND)\n\n                               Figure 5: Certification and Accreditation Status\n\n                           Additionally, CBP has not updated TA-FISMA to include the new\n                           server room at CHFB. Specifically, CBP staff stated that the new\n                           server room at CHFB was part of the Far West Field LAN, which\n                           is a \xe2\x80\x9ctype accreditation\xe2\x80\x9d system. 7 However, CBP has not prepared\n                           the necessary attachments to its documentation annotating CHFB\n                           site-specific physical and logical variations related to a server\n                           room that CBP had implemented at CHFB.\n\n\n\n\n6\n  DHS uses an enterprise management tool, Trusted Agent FISMA, to collect and track data related to all\nPlans of Action and Milestones, including self-assessments, and certification and accreditation data.\n7\n  According to DHS 4300A Handbook, Attachment D \xe2\x80\x93Type Accreditation:\n         A type certification/accreditation, however, allows for common security controls across the sites to\n         be consolidated and for a single master C&A to be conducted.\n\n\n\n            Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                                  the Chet Holifield Federal Building\n\n                                                  Page 14\n\x0c              According to DHS 4300A Handbook, Attachment D \xe2\x80\x93Type\n              Accreditation:\n\n                      To account for unique physical and logical variations at\n                      the site level, a description of any differences and the\n                      associated risks at each site are documented, and the site-\n                      specific documents are incorporated as attachments or\n                      appendices to the master C&A package.\n\n              CBP management cannot be assured that IT systems and data are\n              properly secured unless the various activities leading to\n              accreditation are performed and the Designated Accrediting\n              Authority (DAA) has accepted in writing the risks associated with\n              operating the systems.\n\n              According to DHS 4300A Handbook:\n\n                      The initial Risk Assessment is updated and revised and\n                      becomes the final Risk Assessment as part of the overall\n                      accreditation process after the controls are implemented\n                      and tested and the results/corrective actions are\n                      implemented. Through the development of the final Risk\n                      Assessment, the definition of the program residual risk can\n                      be determined for the DAA\xe2\x80\x99s acceptance during\n                      accreditation.\n\n              We also identified three additional IT resources that CBP had not\n              previously included in the DHS\xe2\x80\x99 TA FISMA reporting tool. See\n              Figure 6 below.\n\n                                     IT Resource Name\n                 Common Drive Home Drive, Human Resources Division\n                 OCE (desktop publishing application)\n                 CcMail\n\n                      Figure 6: CBP IT Resources Not Included in TA-FISMA\n\n              Staffs from CBP and the office of the DHS CISO are in the process\n              of determining if these IT resources should be part of the system\n              accreditation process. IT resources that are not included in the\n              accreditation process may not be properly secured, increasing the\n              risk to CBP systems and data.\n\n\n\n\nTechnical Security Evaluation of U.S. Customs and Border Protection Activities at\n                      the Chet Holifield Federal Building\n\n                                    Page 15\n\x0c              According to DHS 4300A Handbook:\n\n                      For operational systems, the DAA makes a risk-based\n                      decision either to grant full authorization to operate or\n                      deny authorization to operate.\n\n              Following discussions, CBP informed us that they would\n              determine whether CBP staff required the Human Resources File\n              Manager System (RECFIND) to perform their work. Additionally,\n              CBP is in the process of documenting the desktop publishing\n              application. Further, CBP is in the process of eliminating the need\n              for the identified home drives and cc-Mail. Following these\n              actions, CBP will properly certify identified systems.\n\n              Interconnection Security Agreements\n\n              CBP and ICE have a service level agreement for services that ICE\n              provides to CBP, including operating servers that support CBP\n              applications and users\xe2\x80\x99 data. However, the required ISAs for these\n              systems do not exist. Additionally, CBP, as steward of the DHS\n              OneNet, should have ISAs with ICE and USCIS for\n              telecommunication services.\n\n              By not establishing and maintaining ISAs, CBP may not be aware\n              of new threats or vulnerabilities to the confidentiality, integrity,\n              and availability of its systems and data.\n\n              According to the DHS 4300A Handbook:\n\n                      Components shall document interconnections with other\n                      external networks with an Interconnection Security\n                      Agreement (ISA). Interconnections between DHS\n                      Components shall require an ISA when there is a difference\n                      in the security categorizations for confidentiality, integrity,\n                      and availability for the two networks. ISAs shall be signed\n                      by both DAAs or by the official designated by the DAA to\n                      have signatory authority.\n\n                                                  **********\n\n                      ISAs shall be reissued every three years or whenever any\n                      significant changes have been made to any of the\n\n\n\n\nTechnical Security Evaluation of U.S. Customs and Border Protection Activities at\n                      the Chet Holifield Federal Building\n\n                                    Page 16\n\x0c                              interconnected system. ISAs shall be reviewed as a part of\n                              the annual FISMA self-assessment.\n\n                      Privacy Compliance Activities\n\n                      CBP has completed all required privacy compliance activities for\n                      only 1 of 3 (33%) of its systems in use at CHFB. See Figure 7\n                      below.\n\nSystem Name         TA-           Privacy           Privacy            Has the        Applicable\n                   FISMA         Threshold          Impact            PIA Been         System of\n                   Number         Analysis         Assessment        Submitted          Record\n                                   (PTA)             (PIA)           to the DHS          Notice\n                                                   Required?           Privacy        According\n                                                                      Office for        to DHS\n                                                                     Validation         Privacy\n                                                                                         Office\nDHS OneNet         CBP-         PTA              No PIA              NA               NA\n(CBP               00044-       Completed        required\nSteward)           GSS-\n                   00044\n\nFar West           CBP-         PTA was          *PIA is             No               DHS/All\nField LAN          00029-       reviewed in      required due                         GITAARS\n                   GSS-         November         to collection                        71 FR\n                   00029        of 2006.         of Personally                        78446\n                                                 Identifiable\n                                                 Information\n                                                 (PII).\n**The              None         None             Unknown             No               Justice/\nHuman                                                                                 INS-034\nResources                                                                             67 FR\nFile Manager                                                                          56585\nSystem\n(RECFIND)\n*The PTA for this system was reissued and a PIA is no longer required.\n**The Human Resources File Manager System is being retired.\n\n\n           Figure 7: Status of Privacy Act Related Activities for CBP Systems\n\n                      Specifically, the Privacy Threshold Analysis (PTA) for the DHS\n                      OneNet determined that it does not collect personally identifiable\n                      information (PII); therefore neither a Privacy Impact\n\n\n\n        Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                              the Chet Holifield Federal Building\n\n                                            Page 17\n\x0c                            Assessment (PIA) nor a System of Records Notice (SORN) is\n                            required. While the PTA for the Far West Field LAN determined\n                            that PII is collected, the DHS Privacy Office has not yet validated\n                            a PIA for this system. Additionally, DHS does not have on file a\n                            PTA or a PIA for the Human Resources File Manager\n                            System (RECFIND). Further, DHS has not issued an updated\n                            SORN to reflect that this system is now operated by DHS and not\n                            the Department of Justice. However, use of a legacy SORN is\n                            permitted as the Savings Provision of the Homeland Security Act\n                            of 2002 allows DHS to rely on legacy SORNs. 8\n\n           Recommendations:\n                            We recommend that the CBP CIO take the following actions for\n                            CBP activities at CHFB:\n\n                            Recommendation #5: Perform an analysis of the cost and\n                            benefits of continuing to operate a separate server room in lieu of\n                            sharing a DHS-operated server room.\n\n                            Recommendation #6: Complete the activities required to accredit\n                            and authorize IT systems that are in use at CHFB.\n\n                            Recommendation #7: Establish and maintain the required\n                            interconnection security agreements.\n\n                            Recommendation #8: Complete Privacy Impact Assessments and\n                            publish updated System of Records Notices as needed for systems\n                            in use at CHFB.\n\n           Management Comments and OIG Analysis\n                            In the comments, except for recommendation #8, CBP concurred\n                            with our recommendations and also reported steps taken to resolve\n                            these issues. We believe that the actions that CBP has taken and\n                            plans to take will resolve the reported issues. These\n\n8\n    According to the Homeland Security Act of 2002, Section 1512, Savings Provision:\n\n           (a) COMPLETED ADMINISTRATIVE ACTIONS. \xe2\x80\x94(1) Completed administrative actions of an\n           agency shall not be affected by the enactment of this Act or the transfer of such agency to the\n           Department, but shall continue in effect according to their terms until amended, modified,\n           superseded, terminated, set aside, or revoked in accordance with law by an officer of the United\n           States or a court of competent jurisdiction, or by operation of law.\n\n\n\n              Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                                    the Chet Holifield Federal Building\n\n                                                   Page 18\n\x0c              recommendations will be considered resolved but open pending\n              verification of reported actions.\n\n              CBP did not concur with recommendation #8. In the comments,\n              CBP stated that the PTA for the Far West Field LAN, the first of\n              two systems applicable to this recommendation, was updated and\n              validated in September 2007, following receipt of our draft report,\n              dated August 10, 2007. We believe that the reported privacy\n              compliance issue for this system has been resolved. Additionally,\n              CBP plans to retire the Human Resource File Management\n              System (RECFIND), which is the second system applicable to this\n              recommendation. Specifically, CBP stated employees would not\n              use the system after October 30, 2007. We also believe that this\n              CBP planned action will resolve privacy compliance issues for this\n              system. This recommendation will also be considered resolved but\n              open pending verification of reported actions.\n\n\n\n\nTechnical Security Evaluation of U.S. Customs and Border Protection Activities at\n                      the Chet Holifield Federal Building\n\n                                    Page 19\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                             This review is part of a program to evaluate, on an ongoing basis,\n                             the implementation of DHS technical and information security\n                             policies and procedures at DHS sites. The objective of this\n                             program is to determine the extent to which critical DHS sites\n                             comply with the department\xe2\x80\x99s technical and information security\n                             policies and procedures according to DHS Directive 4300A, and its\n                             companion document, the DHS 4300A Handbook.\n\n                             We coordinated the implementation of this technical security\n                             evaluation program with the DHS CISO. We mutually agreed to\n                             the wording for the Rules of Behavior for the technical testing. 9\n                             Our entrance and exit conferences were held with CBP officials at\n                             the Office of Information Technology in Washington, DC, and by\n                             telephone with CHFB OIT officials.\n\n                             Technical evaluations were performed only after the DHS CISO\n                             and CBP agreed to our negotiated Rules of Behavior. These\n                             technical evaluations included:\n\n                                 \xe2\x80\xa2\t Security scans of the servers using various software\n                                    packages, and\n                                 \xe2\x80\xa2\t Scans to determine whether wireless devices were being\n                                    used by DHS components.\n\n                             We reviewed applicable DHS and CBP policies and procedures\n                             and CBP\xe2\x80\x99s responses to our site surveys and technical\n                             questionnaires. Prior to performing our onsite review, we used\n                             CBP\xe2\x80\x99s responses to identify occupied space, server rooms, and\n                             telecommunications closets. Our onsite review included a physical\n                             review of CBP space and interviews with CBP staff. (Our\n                             technical review included onsite reviews of server security policies\n                             as well as scans for DHS wireless devices operating at CHFB. 10\n                             Additionally, we reviewed guidance provided by DHS to the\n                             components in the areas of patch management and operating\n                             systems.\n\n\n\n9\n    The Rules of Behavior established the boundaries and schedules for the technical evaluations.\n10\n     We did not find any wireless devices being used by CBP at CHFB.\n\n\n\n               Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                                     the Chet Holifield Federal Building\n\n                                                    Page 20\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                      We provided CBP with briefings concerning the results of\n                      fieldwork and the information summarized in this report. We\n                      conducted this review between February and August 2007.\n\n                      We performed our work according to the Quality Standards for\n                      Inspection of the President\xe2\x80\x99s Council on Integrity and Efficiency\n                      and pursuant to the Inspector General Act of 1978, as amended.\n\n                      We appreciate the efforts by DHS management and staff to provide\n                      the information and access necessary to accomplish this review.\n                      Our points of contact for this report are Frank Deffer, Assistant\n                      Inspector General for Information Technology, (202) 254-4100,\n                      and Roger Dressler, Director for Information Systems and\n                      Architectures, (202) 254-5441. Major Office of Inspector General\n                      contributors to the review are identified in Appendix C.\n\n\n\n\n        Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                              the Chet Holifield Federal Building\n\n                                            Page 21\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n        Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                              the Chet Holifield Federal Building\n\n                                            Page 22\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n        Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                              the Chet Holifield Federal Building\n\n                                            Page 23\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n        Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                              the Chet Holifield Federal Building\n\n                                            Page 24\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n        Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                              the Chet Holifield Federal Building\n\n                                            Page 25\n\x0cAppendix C\nMajor Contributors to This Report\n\n\n\n\n                       Roger Dressler, Director, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Kevin Burke, Audit Manager, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Beverly Dale, Senior Auditor, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Domingo Alvarez, Senior Auditor, Department of Homeland\n                       Security, Information Technology Audits\n\n                       Matthew Worner, Program Analyst, Department of Homeland\n                       Security, Information Technology Audits\n\n                       Basil Marcus Badley, Technical Evaluator, Department of\n                       Homeland Security, Information Technology Audits\n\n                       Syrita Morgan, Management and Program Assistant, Department\n                       of Homeland Security, Information Technology Audits\n\n                       Samer El-Hage, Management and Program Assistant, Department\n                       of Homeland Security, Information Technology Audits\n\n                       Maria Rodriguez, Referencer, Department of Homeland Security,\n                       Information Technology Audits\n\n\n\n\n         Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                               the Chet Holifield Federal Building\n\n                                             Page 26\n\x0cAppendix D\nReport Distribution\n\n\n\n                       Department of Homeland Security\n\n                       Secretary\n                       Deputy Secretary\n                       Chief of Staff\n                       Deputy Chief of Staff\n                       General Counsel\n                       Executive Secretary\n                       Under Secretary, Management\n                       Assistant Secretary for Policy\n                       Assistant Secretary for Public Affairs\n                       Assistant Secretary for Legislative Affairs\n                       Chief Information Officer\n                       Chief Privacy Officer\n                       Deputy CIO\n                       Chief Information Security Officer\n                       Information Systems Security Manager, CBP\n                       CISO, CBP\n                       DHS Audit Liaison\n                       CBP Audit Liaison\n\n                       Office of Management and Budget\n\n                       Chief, Homeland Security Branch\n                       DHS OIG Budget Examiner\n\n                       Congress\n\n                       Congressional Oversight and Appropriations Committees, as\n                       appropriate\n\n\n\n\n         Technical Security Evaluation of U.S. Customs and Border Protection Activities at\n                               the Chet Holifield Federal Building\n\n                                             Page 27\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector General/MAIL STOP 2600, Attention:\n           Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"